The official weblog of Secure Progression

October 03, 2007

Nmap and out-of-date software on the network

Nmap
can be extremely helpful in finding old versions of
software on your network. Updated software reduces network worm infections and hacking from internal and external sources. Here's how you use Nmap to do it:

nmap -vv -F -sS -A -P0 [some ip]

I like to use "-vv" for extra detail.

Let's
say I just wanted to check the version of SSH I was using on an older
Linux machine. Nmap can even tell me what protocol revision SSH
supports on the machine. Here is how I would do that:

nmap -sS -A -P0 -p 22 [my ip] | grep ssh

Here are the results from an actual machine:

22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99)

SSH protocol version 1.99 has issues and OpenSSH needs to be updated on this machine.

Nmap and software version detection inside Secure Trends

Because
Secure Trends can use Nmap for scanning, it gathers information about
open network software running on computers that have been scanned. From
the Ports tab, you can click on a port to see what different computers
have that port open and what software is running on those machines.

Above is a partial screenshot from a real set of hosts in ST.
Each IP is a clickable link so that you can see everything else
running on that machine. In this case two machines are still allowing
protocol version 1.99, but it is probably easily fixed by changing
their config file to only permit version 2.0. How do I know this?
Partly because I already know, but also because the machine with the IP
address ending ".24" is running the same OpenSSH program version, but is clearly locked
down to only support protocol version 2.